Configuring Your Identity Provider (IdP)

IdP Requirements

To use SAML with Shares, you must already have an identity provider (IdP) that meets the following requirements:

Supports SAML 2.0
Able to use an HTTP POST Binding.
Able to connect to the same directory service that Shares uses.
Not configured to use pseudonyms.
Can return assertions to Shares that include the entire contents of the signing certificate.
If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)

IdP Metadata Formats

You must configure formats to set up your IdP to work with Shares:

Tag	Format
NameID Format	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
Entity ID	https://`shares_ip`/auth/saml/metadata/
Binding	`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST`
Callback URL	https://`shares_ip`/auth/saml/callback

If the IdP is capable of reading SAML XML metadata for a service provider, you can upload a saved XML metadata file to configure the IdP. You can retrieve the XML metadata for an existing Shares by going to https://server_ip/auth/saml/metadata and saving the XML as an XML file.

SAML Assertion Requirements

Shares: expects assertion from an IdP to contain the following elements:

Default Attribute	Shares User Field	Required
`NameID` / `SAML_SUBJECT` / `id`	Username	Yes, with the format: `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
`email`	Email address	Yes
`given_name`	First name	Yes
`surname`	Last name	Optional
`member_of`	SAML group	Necessary for SAML groups

Tip: All attributes other than NameID or SAML_SUBJECT or id can also use the urn:oasis:names:tc:SAML:2.0:attrname-format:basic format.